M365: Crate to facilitate compromised account investigation
in progress
Tim Fournet
Pulling logs from O365, identifying and rectifying malicious mail flow rules. Grabbing forensic data from cloud & end-user devices
Log In
Kiefer Froggatt | Ebstar IT
This also needs to revoke all active MFA tokens and force MFA re-registration. Latest account hijacks are also stealing MFA tokens from browsers and then inserting new MFA methods upon compromise.
Derrick Bennett
would love for this to work natively with Huntress integrations as well...
A
Adam Willford
in progress
MVP is being scoped and planned for this automation.
A
Adam Willford
Merged in a post:
M365 - Email Compromise Response
Jamie Cartaya
Reset of Password
End all Sessions
Block Sign In
Pull report on Sign In Activities
Complete a Mail Recall
Pull a mailflow report to see what recipients were emailed during a specific timeframe
send out email to those recipients to ignore / delete mail that was sent
remove a ll mail rules that forward to an external domain
Logan Cook
HAWK tool could be used for this: https://cloudforensicator.com/documentation
CIPP does something similar, but I would love to be able to associate the investigation and results to a ticket in PSA.
Example:
PoC reports potential incident > Tech runs flow from pod (or form) > HAWK tool gathers all related info and dumps into internal notes for tech review.
Might even be possible to include some conditions that are especially indicative of compromise and drop a "Remediate Now" webhook link.
Brent Kenreich
Especially Azure AD logons